This plugin verifies the state of the clients connected to a openvpn server by means of the management interface.

The -H [IP or hostname of the openvpn server] and -p options [port of the openvpn server] are always obligatory. If plugin can be connected with the management interface it will show the common name (as it is specified in the client certificate) of the connected clients. Otherwise, it will finish with critical state. The -i option shows the remote IP address of the client instead of their common name and the -n option shows the number of connected clients. It is possible to be verified that a client in particular is connected using one of these two options -C [common name] or -r [remote IP address]. If these options are used, also the exit state is due to specify that will give back plugin if it does not find the client through the -w [warning] -c [critical] options.

Examples of use:

# Basic usage: It gives back the names of the connected clients the -t
option (timeout) is optional. The default value is 10

check_openvpn -H 192.168.10.1 -p 1195 -P mypassword -t 5

OpenVPN OK: cliente1 cliente2

# Returns the remote IP address of the client instead of the common name

check_openvpn -H 192.168.10.1 -p 1195 -P mypassword -i

OpenVPN OK: 192.168.0.5 192.168.0.15

# Returns the number of connected clients.

check_openvpn -H 192.168.10.1 -p 1195 -P mypassword -n

OpenVPN OK: 2 connected clients.

# Check if cliente1 is connected and if it does not give back warning.

check_openvpn -H 192.168.10.1 -p 1195 -P mypassword -C client -w

OpenVPN OK: cliente1 cliente2

# Check if the machine with IP 192.168.0.15 is connected and if it does not give back critical.

just a quick note: put something like this in your config file to enable the management interface:

management 127.0.0.1 2194 /etc/openvpn/management-password

and pass the relevant options in for this probe. (put your password in that named file and get your permissions right!).

I'm using OpenVPN 2.2.2 on CentOS 5 in 2012 and I needed to make a few small changes for a point-to-point link (plus a few warning message tweaks). Unified diff follows. Thank you Jamie - using the management interface is the right way to do this (my previous grep hacks were silly).